NSA ANT USB, 30C3, Jacob Appelbaum, 30 December 2013 


Fur USB-Stecker hat die NSA-Abteilung ANT eine ganze Reihe von Computerwanzen im Angebot. Sie sind 
entweder als der USB-Anschluss einer Tastatur getarnt, oder aber als eine Art USB-Verlangerungsstecker, 
unbemerkt zwischen Maus-, Keyboard- oder einen anderen Anschluss und den Rechner selbst gesteckt wir 
Sie funken und empfangen entweder auf kurze Distanz ("Cottonmouth |") oder aber, auf dem Umweg Uber € 
weiteres Implantat, irgendwo im Rechner oder im Raum, über weitere Strecken ("Cottonmouth II", 
"Cottonmouth III"). Diese Implantate erlauben sowohl, den angezapften Rechner und sein Netzwerk zu 
überwachen, als auch Befehle auf den Rechner und ins gekaperte Netz zu schicken. 


COTTONMOUTH-1 ist ein USB-Stecker-Implantat für das Abfangen von Kommunikation, Injizieren von 
Trojanern etc. Es kann sich über einen eingebauten Radiotransmitter mit anderen COTTONMOUTH- 
Implantaten verbinden. 


COTTONMOUTH-2 ist ein USB-Implantat, das die Fernsteuerung eines Zielsystems ermöglicht. Es wird an 
Funkmodul gekoppelt, das im Rechnergehäuse versteckt ist und Zugriffe aus größerer Entfernung ermöglicl 


COTTONMOUTH-3 ist ein USB-Implantat zum Aufbau eines verdeckten Kommunikationsweges Uber 

Funkwellen mit Computern, die offline betrieben werden oder bei denen ein Angriff über die Netzschnittstell 
nicht praktikabel ist. Es wird an ein Funkmodul gekoppelt, das im Rechnergehäuse versteckt ist und Zugriffe 
aus größerer Entfernung ermöglicht oder sich mit anderen COTTONMOUTH-Modulen in der Nähe verbinde 


FIREWALK ist ein Hardware-Implantat in der Form einer Ethernet- oder USB-Buchse, das das Abfangen vo 
Daten und aktive Einschleusen von Angriffstools über Funk erlaubt. 
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COTTONMOUTH-I 


ANT Product Data 


(TSI/SUWIREL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs. 
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(TSISWUIREL) CM-I will provide air-gap bridging, software persistence capability, “in-field” re- 
programmability, and covert communications with a host software implant over the USB. The 
RF link will enable command and data infiltration and exfiltration. CM-I will also communicate 
with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert 
channel implemented on the USB, using this communication channel to pass commands and 
data between hardware and software implants. CM-I will be a GENIE-compliant implant 
based on CHIMNEYPOOL. 

(TSISWIREL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and 
HOWLERMONKEY (HM) RF Transceiver within the USB Series-A cable connector. 
MOCCASIN is the version permanently connected to a USB keyboard. Another version can 
be made with an unmodified USB connector at the other end. CM-I has the ability to 
communicate to other CM devices over the RF link using an over-the-air protocol called 


SPECULATION. COTTONMOUTH CONOP 
INTERNET Scenario 


High Side 


Status: Availability — January 2009 Unit Cost: 50 units: $1,015K 
POC: EE. S3223, EN, GO nsa.ic.cov One en eee 


ALT POC: SE. S3223, HE. Gn sa.ic.gov Declassify On: 20320108 
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COTTONMOUTH-II 
ANT Product Data 


(TSIISIIIREL) COTTONMOUTH-II (CM-II) is a Universal Serial Bus (USB) hardware Host 

Tap, which will provide a covert link over USB link into a targets network. CM-II is intended 

to be operate with a long haul relay subsystem, which is co-located within the target | 08/05/08 
equipment. Further integration is needed to turn this capability into a deployable system. 


(TSIISWIREL) CM-I will provide software persistence capability, “in-field” re-programmability, 

and covert communications with a host software implant over the USB. CM-II will also 
communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a 

covert channel implemented on the USB, using this communication channel to pass 

commands and data between hardware and software implants. CM-Il will be a GENIE- 

compliant implant based on CHIMNEYPOOL. @ N i 
(TSIISUIREL) CM-II consists of the CM-I digital hardware and the long haul relay concealed 

somewhere within the target chassis. A USB 2.0 HS hub with switches is concealed in a 

dual stacked USB connector, and the two parts are hard-wired, providing a intra-chassis link. a IE 
The long haul relay provides the wireless bridge into the target's network. 


COTTONMOUTH - II (CM-I) CONOP 8 0 6 6 ( 
ANT Covert Network Scenario 
High Side Low Side 6 im || 


Unit Cost: 50 units: $200K 


Status: Availability - September 2008 


POC: NS, S3223, ME BO nse. ic. gov Derived From: NSAICSSM 1-52 
: ®nsa.ic.qov Dated: 20070108 
ALT POC: MEE, 53223, EE FBO ns. ic. cov Declassity On: 20320108 
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COTTONMOUTH-III 
ANT Product Data 


(TS//SUWIREL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant, 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs. 
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(TSISUIREL) CM-III will provide air-gap bridging, software persistence capability, “in-field” 
re-programmability, and covert communications with a host software implant over the USB. 
The RF link will enable command and data infiltration and exfiltration. CM-I will also 
communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a 
covert channel implemented on the USB, using this communication channel to pass 
commands and data between hardware and software implants. CM-IIl will be a GENIE- 
compliant implant based on CHIMNEYPOOL. N d N ) N) 
(TSISWIREL) CM-III conceals digital components (TRINITY), a USB 2.0 HS hub, switches, 
and HOWLERMONKEY (HM) RF Transceiver within a RJ45 Dual Stacked USB connector. 
CM-I has the ability to communicate to other CM devices over the RF link using an over-the- 
air protocol called SPECULATION. CM-III can provide a short range inter-chassis link to 
other CM devices or an intra-chassis RF link to a long haul relay subsystem. 


COTTONMOUTH CONOP 
INTERNET Scenario 


Status: Availability - May 2009 Unit Cost: 50 units: $1,248K 


POC: TE, S3223, EEE. BEE © sa. ic. cov ET ated: 20070108 
ALT POC: SE, S3223, NN, EEE nsa.ic.gov 


Declassify On: 20320108 
TOP SECRET//COMINT//REL TO USA, FVEY 


TOP SECRET//COMINT//REL FVEY 


FIREWALK 
ANT Product Data 
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(TSIISUIREL) FIREWALK is a bidirectional network implant, capable of passively collecting 
Gigabit Ethernet network traffic, and actively injecting Ethernet packets onto the same 
target network. 
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(TSISWIREL) FIREWALK is a bi-directional 10/100/1000bT (Gigabit) Ethernet network 
implant residing within a dual stacked RJ45 / USB connector. FIREWALK is capable of 
filtering and egressing network traffic over a custom RF link and injecting traffic as 
commanded; this allows a ethernet tunnel (VPN) to be created between target network and 
the ROC (or an intermediate redirector node such as DNT's DANDERSPRITZ tool.) 
FIREWALK allows active exploitation of a target network with a firewall or air gap protection. 
(TSIISUIREL) FIREWALK uses the HOWLERMONKEY transceiver for back-end 
communications. It can communicate with an LP or other compatible HOWLERMONKEY 
based ANT products to increase RF range through multiple hops. 


Target Space 


Legend: 
- DS = DANDERSPRIT, spoofs IP & MAC Addr 
- HM = HOWLERMONKRY 


- LHR = Long Haul Relay 


Status: Prototype Available — August 2008 Unit Cost: 50 Units $537K 


Derived From: NSA/CSSM 1-52 


POC: SE, S3223, N, @nsa.ic.gov Dated: 20070108 
ALT POC: D. S3223, M. @nsa.ic.gov Declassify On: 20320108 
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